How can variables be properly masked in SQL queries in PHP?

When using variables in SQL queries in PHP, it is important to properly sanitize and escape the input to prevent SQL injection attacks. One way to do this is by using prepared statements with parameterized queries. This allows variables to be safely passed into the query without the risk of malicious SQL code being injected.

// Example of properly masking variables in SQL queries in PHP
$pdo = new PDO(&#039;mysql:host=localhost;dbname=mydatabase&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a SQL query with a placeholder for the variable
$stmt = $pdo-&gt;prepare(&#039;SELECT * FROM users WHERE username = :username&#039;);

// Bind the variable to the placeholder and execute the query
$username = $_POST[&#039;username&#039;];
$stmt-&gt;bindParam(&#039;:username&#039;, $username);
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll(PDO::FETCH_ASSOC);

// Loop through the results and do something with them
foreach ($results as $row) {
    echo $row[&#039;username&#039;] . &quot;&lt;br&gt;&quot;;
}

Keywords

PHP SQL injection prepared statements PDO escaping

How can variables be properly masked in SQL queries in PHP?

Keywords

Related Questions